js_escape.lib.php
3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Javascript escaping functions.
*
* @package PhpMyAdmin
*
*/
/**
* Format a string so it can be a string inside JavaScript code inside an
* eventhandler (onclick, onchange, on..., ).
* This function is used to displays a javascript confirmation box for
* "DROP/DELETE/ALTER" queries.
*
* @param string $a_string the string to format
* @param boolean $add_backquotes whether to add backquotes to the string or not
*
* @return string the formatted string
*
* @access public
*/
function PMA_jsFormat($a_string = '', $add_backquotes = true)
{
if (is_string($a_string)) {
$a_string = htmlspecialchars($a_string);
$a_string = PMA_escapeJsString($a_string);
// Needed for inline javascript to prevent some browsers
// treating it as a anchor
$a_string = str_replace('#', '\\#', $a_string);
}
return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
} // end of the 'PMA_jsFormat()' function
/**
* escapes a string to be inserted as string a JavaScript block
* enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with \' and end of script block
*
* We also remove NUL byte as some browsers (namely MSIE) ignore it and
* inserting it anywhere inside </script would allow to bypass this check.
*
* @param string $string the string to be escaped
* @return string the escaped string
*/
function PMA_escapeJsString($string)
{
return preg_replace('@</script@i', '</\' + \'script',
strtr($string, array(
"\000" => '',
'\\' => '\\\\',
'\'' => '\\\'',
'"' => '\"',
"\n" => '\n',
"\r" => '\r')));
}
/**
* Formats a value for javascript code.
*
* @param string $value String to be formatted.
*
* @retrun string formatted value.
*/
function PMA_formatJsVal($value)
{
if (is_bool($value)) {
if ($value) {
return 'true';
} else {
return 'false';
}
} elseif (is_int($value)) {
return (int)$value;
} else {
return '"' . PMA_escapeJsString($value) . '"';
}
}
/**
* Formats an javascript assignment with proper escaping of a value
* and support for assigning array of strings.
*
* @param string $key Name of value to set
* @param mixed $value Value to set, can be either string or array of strings
* @param bool $escape Whether to escape value or keep it as it is (for inclusion of js code)
*
* @return string Javascript code.
*/
function PMA_getJsValue($key, $value, $escape = true)
{
$result = $key . ' = ';
if (!$escape) {
$result .= $value;
} elseif (is_array($value)) {
$result .= '[';
foreach ($value as $id => $val) {
$result .= PMA_formatJsVal($val) . ",";
}
$result .= "];\n";
} else {
$result .= PMA_formatJsVal($value) . ";\n";
}
return $result;
}
/**
* Prints an javascript assignment with proper escaping of a value
* and support for assigning array of strings.
*
* @param string $key Name of value to set
* @param mixed $value Value to set, can be either string or array of strings
*
* @return nothing
*/
function PMA_printJsValue($key, $value)
{
echo PMA_getJsValue($key, $value);
}
?>